Insufficiently protected credentials in OpenClaw - CVE-2026-27003
Published: May 4, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose a Telegram bot token.
The vulnerability exists due to insufficiently protected credentials in log handling when processing error messages and stack traces containing Telegram bot API URLs. A remote attacker can obtain exposed log output to disclose a Telegram bot token.
Exposed tokens may appear in crash reports, CI output, or support bundles.